CLAIMS 

What is claimed is: 



1 1 . A method of securely establishing a call between a first node of a voice over Internet 

2 Protocol call connection and a second node thereof, the method comprising the computer- 

3 implemented steps of: 

4 receiving non-encrypted authentication request information from the first node; 

5 receiving, from an authentication server that is communicatively coupled to the second 

6 node, an authentication message indicating whether the first node is authenticated 

7 based on the non-encrypted authentication request information; 

8 establishing a call between' the second node and the first node only when the 

9 authentication message indicates that the first node is authenticated at the 
10 authentication server. 

1 2. A method as recited in Claim 1 , wherein the step of receiving non-encrypted 

2 authentication request information comprises the steps of receiving an access token 

3 comprising a general identifier value, a time stamp value, a challenge value, and a 

4 random value. 

1 3. A method as recited in Claim 1 , wherein the step of receiving non-encrypted 

2 authentication request information comprises the steps of receiving an H.235 ClearToken 

3 comprising a general identifier value, a time stamp value, a challenge value, and a 

4 random value. 

1 4. A method as recited in Claim 1 , wherein the step of receiving non-encrypted 

2 authentication request information further comprises the steps of: 

3 determining whether the authentication request information was created within a 

4 reasonable time with respect to the then-current time; 
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5 issuing a request for authentication to the authentication server only when the 

6 authentication request information was created within a reasonable time with 

7 respect to the then-current time. 

1 5. The method as recited in Claim 1 , further comprising the steps of: 

2 receiving a password that is associated with the first node; 

3 generating an authentication response based on the password and challenge information 

4 contained in the authentication request information; 

5 determining whether the authentication response matches the authentication request 

6 information; 

7 issuing authentication approval information in the authentication message only when the 
Q 8 authentication response matches the authentication request information. 

jS » 1 6. The method as recited in Claim 1 , further comprising the steps of: 

I U 2 receiving a password that is associated with the first node; 

(ft 3 generating a Challenge Handshake Authentication Protocol (CHAP) response based on 
;!«. 4 the password and implied CHAP challenge information contained in the 

J* 5 authentication request information; 

[:J; 6 determining whether the authentication response matches the authentication request 
□ 7 information based on CHAP; 

8 issuing authentication approval information in the authentication message only when the 

9 authentication response matches the authentication request information based on 
10 CHAP. 

1 7. A method of securely establishing a call in a voice over Internet Protocol call connection 

2 system that includes a first gateway at a call origination point, a first gatekeeper, a second 

3 gatekeeper, a second gateway at a call termination point, and an authentication server that 

4 is communicatively coupled to the first gatekeeper and the second gatekeeper, the method 

5 comprising the computer-implemented steps of: 

6 receiving non-encrypted authentication request information from the first gateway; 
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receiving from the authentication server an authentication message indicating whether the 
first gateway is authenticated based on the non-encrypted authentication request 
information; 

establishing a call between the second gateway and the first gateway only when the 
authentication message indicates that the first gateway is authenticated at the 
authentication server. 



8. A method as recited in Claim 7, further comprising the steps of: 
receiving a call setup request message at the first gateway; 

creating and storing the non-encrypted authentication request information based on the 
current time and information that uniquely identifies the first gateway; 

requesting the second gateway to set up a call based on the authentication request 
information. 



9. A method as recited in Claim 8, further comprising the steps of: 

determining whether the authentication request information was created within a 

reasonable time with respect to the then-current time at the second gatekeeper; 
requesting the authentication server to carry out authentication of the first gateway only 
when the authentication request information was created within a reasonable time 
with respect to the then-current time at the second gatekeeper. 



10. A method as recited in Claim 7, wherein the step of receiving non-encrypted 

authentication request information comprises the steps of receiving an access token 
comprising a general identifier value, a time stamp value, a challenge value, and a 
random value. 



11. A method as recited in Claim 7, wherein the step of receiving non-encrypted 

authentication request information comprises the steps of receiving an H.235 ClearToken 
comprising a general identifier value, a time stamp value, a challenge value, and a 
random value. 
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1 12. The method as recited in Claim 7, further comprising the steps of: 

2 receiving a password that is associated with the first gateway; 

3 generating an authentication response based on the password and challenge information 

4 contained in the authentication request information; 

5 determining whether the authentication response matches the authentication request 

6 information; 

7 issuing authentication approval information in the authentication message only when the 

8 authentication response matches the authentication request information. 

1 13. The method as recited in Claim 7, further comprising the steps of: 

2 receiving a password that is associated with the first gateway; 

3 generating an authentication response based on the password and challenge information 

4 contained in the authentication request information; 

5 determining whether the authentication response matches the authentication request 

6 information; 

7 issuing authentication approval information in the authentication message to the second 

8 gatekeeper only when the authentication response matches the authentication 

9 request information; 

10 issuing authentication rejection information in the authentication message to the second 

1 1 gatekeeper when the authentication response does not match the authentication 

1 2 request information. 

1 14. The method as recited in Claim 7, further comprising the steps of: 

2 receiving a password that is associated with the first gateway; 

3 generating a Challenge Handshake Authentication Protocol (CHAP) response based on 

4 the password and implied CHAP challenge information contained in the 

5 authentication request information; 

6 determining whether the authentication response matches the authentication request 

7 information based on CHAP; 
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8 issuing authentication approval information in the authentication message only when the 

9 authentication response matches the authentication request information based on 
10 CHAP. 

1 15. The method as recited in Claim 12, wherein the step of establishing a call between the 

2 second gateway and the first gateway comprises the step of establishing a call between 

3 the second gateway and the first gateway only when authentication approval information 

4 is received in the authentication message. 

1 16. A method of securely establishing a call in a voice over Internet Protocol call connection 

2 system that includes a first gateway at a call origination point, a first gatekeeper, a second 

3 gatekeeper, a second gateway at a call termination point, and an authentication server that 

4 is communicatively coupled to the first gatekeeper and the second gatekeeper, the method 

5 comprising the computer-implemented steps of: 

6 receiving user identification information from the first gateway that comprises a user 

7 identifier and a personal identification number that are uniquely associated with a 

8 calling party who originates a call using the first gateway; 

9 receiving from the authentication server a first authentication message indicating whether 

1 0 the user identification information is authenticated; 

1 1 receiving non-encrypted authentication request information from the first gateway; 

12 receiving from the authentication server a second authentication message indicating 

1 3 whether the first gateway is authenticated based on the non-encrypted 

14 authentication request information; 

1 5 establishing a call between the second gateway and the first gateway for the calling party 

16 only when the first authentication message indicates that the user identification 

1 7 information is authenticated and the second authentication message indicates that 

1 8 the first gateway is authenticated at the authentication server. 
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17. A method as recited in Claim 16, wherein the step of receiving non-encrypted 
authentication request information comprises the steps of receiving an access token 
comprising a general identifier value, a time stamp value, a challenge value, and a 
random value. 

18. A method as recited in Claim 1 6, wherein the step of receiving non-encrypted 
authentication request information comprises the steps of receiving an H.235 ClearToken 
comprising a general identifier value, a time stamp value, a challenge value, and a 
random value. 

19. A method as recited in Claim 16, wherein the step of receiving non-encrypted 
authentication request information further comprises the steps of: 
determining whether the authentication request information was created within a 

reasonable time with respect to the then-current time; 
issuing a request for authentication to the authentication server only when the 

authentication request information was created within a reasonable time with 
respect to the then-current time. 

20. The method as recited in Claim 16, further comprising the steps of: 
receiving a password that is associated with the first gateway; 

generating an authentication response based on the password and challenge information 

contained in the authentication request information; 
determining whether the authentication response matches the authentication request 

information; 

issuing authentication approval information in the authentication message only when the 
authentication response matches the authentication request information. 

2 1 . The method as recited in Claim 1 6, further comprising the steps of: 
receiving a password that is associated with the first gateway; 
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3 generating a Challenge Handshake Authentication Protocol (CHAP) response based on 

4 the password and implied CHAP challenge information contained in the 

5 authentication request information; 

6 determining whether the authentication response matches the authentication request 

7 information based on CHAP; 

8 issuing authentication approval information in the authentication message only when the 

9 authentication response matches the authentication request information based on 
10 CHAP. 

1 22. A method as recited in Claim 16, wherein the step of receiving non-encrypted user 

2 identification information further comprises the steps of: 

3 determining whether the user identification information was created within a reasonable 

4 time with respect to the then-current time; 

5 issuing a request for authentication to the authentication server only when the user 

6 identification information was created within a reasonable time with respect to the 

7 then-current time. 

1 23. The method as recited in Claim 16, further comprising the steps of: 

2 retrieving a personal identification value that is associated with the user account number 

3 in the user identification information; 

4 determining whether the personal identification value matches the personal identification 

5 number that is in the user identification information; 

6 issuing authentication approval information in the authentication message only when the 

7 personal identification value matches the personal identification number that is in 

8 the user identification information. 

1 24. A computer-readable medium carrying one or more sequences of instructions for securely 

2 establishing a call between a first node of a voice over Internet Protocol call connection 

3 and a second node thereof, which instructions, when executed by one or more processors, 

4 cause the one or more processors to carry out the steps of: 

5 receiving non-encrypted authentication request information from the first node; 

35; 
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6 receiving, from an authentication server that is communicatively coupled to the second 

7 node, an authentication message indicating whether the first node is authenticated 

8 based on the non-encrypted authentication request information; 

9 establishing a call between the second node and the first node only when the 

10 authentication message indicates that the first node is authenticated at the 

1 1 authentication server. 

1 25. A computer-readable medium as recited in Claim 24, wherein the step of receiving non- 

2 encrypted authentication request information comprises the steps of receiving an access 

3 token comprising a general identifier value, a time stamp value, a challenge value, and a 

4 random value. 

1 26. A computer-readable medium as recited in Claim 24, wherein the step of receiving non- 

2 encrypted authentication request information comprises the steps of receiving an H.235 

3 ClearToken comprising a general identifier value, a time stamp value, a challenge value, 

4 and a random value. 

1 27. A computer-readable medium as recited in Claim 24, wherein the step of receiving non- 

2 encrypted authentication request information further comprises the steps of: 

3 determining whether the authentication request information was created within a 

4 reasonable time with respect to the then-current time; 

5 issuing a request for authentication to the authentication server only when the 

6 authentication request information was created within a reasonable time with 

7 respect to the then-current time. 

1 28. The computer-readable medium as recited in Claim 24, further comprising the steps of: 

2 receiving a password that is associated with the first node; 

3 generating an authentication response based on the password and challenge information 

4 contained in the authentication request information; 

5 determining whether the authentication response matches the authentication request 

6 information; 
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7 issuing authentication approval information in the authentication message only when the 

8 authentication response matches the authentication request information. 

1 29. The computer-readable medium as recited in Claim 24, further comprising the steps of: 

2 receiving a password that is associated with the first node; 

3 generating a Challenge Handshake Authentication Protocol (CHAP) response based on 

4 the password and implied CHAP challenge information contained in the 

5 authentication request information; 

6 determining whether the authentication response matches the authentication request 

7 information based on CHAP; 

8 issuing authentication approval information in the authentication message only when the 

9 authentication response matches the authentication request information based on 
10 CHAP. 

1 30. An apparatus for securely establishing a call between a first node of a voice over Internet 

2 Protocol call connection and a second node thereof, which instructions, comprising: 

3 means for receiving non-encrypted authentication request information from the first node; 

4 means for receiving, from an authentication server that is communicatively coupled to the 

5 second node, an authentication message indicating whether the first node is 

6 authenticated based on the non-encrypted authentication request information; 

7 establishing a call between the second node and the first node only when the 

8 authentication message indicates that the first node is authenticated at the 

9 authentication server. 

1 31. An apparatus for securely establishing a call between a first node of a voice over Internet 

2 Protocol call connection and a second node thereof, comprising: 

3 a network interface that is coupled to the data network for receiving one or more packet 

4 flows therefrom; 

5 a processor; 

6 one or more stored sequences of instructions which, when executed by the processor, 

7 cause the processor to carry out the steps of: 
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8 receiving non-encrypted authentication request information from the first node; 

9 receiving, from an authentication server that is communicatively coupled to the 

10 second node, an authentication message indicating whether the first node 

1 1 is authenticated based on the non-encrypted authentication request 

12 information; 

1 3 establishing a call between the second node and the first node only when the 

14 authentication message indicates that the first node is authenticated at the 

15 authentication server. 
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